privacy-in-design/gitea-migration
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4135f9d5c0b2d334eb6fd4662d5bccd510da1e3d
gitea-migration/phase9_teardown.sh
S 9494645b3a fix: resolve 10 bugs across scripts 
- manage_runner.sh: fix RUNNER_DEFAULT_IMAGE clobbering by renaming
  per-runner var to RUNNER_SECTION_IMAGE; .env fallback now works
- manage_runner.sh: render native runner config.yaml before registration
  so act_runner can read it during --config flag
- manage_runner.sh: add SSH credential validation for remote hosts
  (fail early with clear error instead of cryptic SSH failure)
- phase1/phase2: add UNRAID_DB_IP/FEDORA_DB_IP to conditional
  require_vars when DB_TYPE != sqlite3
- cleanup.sh: only clear manifest when all actions for host succeeded;
  failed actions are preserved for retry
- phase8_cutover.sh: strip empty environment: block from Caddy
  docker-compose when TLS_MODE=existing
- phase5_migrate_pipelines.sh, phase5_teardown.sh, phase9_teardown.sh:
  wrap cd+git in subshells so working directory is always restored
- phase3_post_check.sh: handle both string and numeric runner status
  from Gitea API (offline vs 2)
- configure_env.sh: fix TOTAL_PROMPTS base count (63->64) and move
  DB/repo count adjustments before their prompts are shown

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-01 13:21:30 -05:00

101 lines
3.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# =============================================================================
# phase9_teardown.sh — Remove security scanning workflows from all repos
# Also removes security status checks from branch protection if they were added.
# Clones each repo, removes security-scan.yml, commits + pushes.
# =============================================================================
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "${SCRIPT_DIR}/lib/common.sh"
load_env
require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \
GITEA_ADMIN_USER \
REPO_NAMES \
PROTECTED_BRANCH
log_warn "=== Phase 9 Teardown: Security Scanning ==="
read -ra REPOS <<< "$REPO_NAMES"
TEMP_BASE="/tmp/gitea-migration-security-teardown"
GITEA_BASE_URL="${GITEA_INTERNAL_URL%/}"
ASKPASS_SCRIPT=""
cleanup() {
rm -rf "$TEMP_BASE"
if [[ -n "$ASKPASS_SCRIPT" ]]; then
rm -f "$ASKPASS_SCRIPT"
fi
}
trap cleanup EXIT
setup_git_auth() {
ASKPASS_SCRIPT=$(mktemp)
cat > "$ASKPASS_SCRIPT" <<'EOF'
#!/usr/bin/env sh
case "$1" in
*sername*) printf '%s\n' "$GITEA_GIT_USERNAME" ;;
*assword*) printf '%s\n' "$GITEA_GIT_TOKEN" ;;
*) printf '\n' ;;
esac
EOF
chmod 700 "$ASKPASS_SCRIPT"
}
git_with_auth() {
GIT_TERMINAL_PROMPT=0 \
GIT_ASKPASS="$ASKPASS_SCRIPT" \
GITEA_GIT_USERNAME="$GITEA_ADMIN_USER" \
GITEA_GIT_TOKEN="$GITEA_ADMIN_TOKEN" \
"$@"
}
printf 'This will remove security-scan.yml from all repos. Continue? [y/N] '
read -r confirm
if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
log_info "Teardown cancelled"
exit 0
fi
setup_git_auth
for repo in "${REPOS[@]}"; do
log_info "--- Processing: ${repo} ---"
# Check if security-scan.yml exists before cloning
if ! gitea_api GET "/repos/${GITEA_ORG_NAME}/${repo}/contents/.gitea/workflows/security-scan.yml" >/dev/null 2>&1; then
log_info "No security-scan.yml in ${repo} — already clean"
continue
fi
# Clone, remove, commit, push
CLONE_DIR="${TEMP_BASE}/${repo}"
rm -rf "$CLONE_DIR"
REPO_URL="${GITEA_BASE_URL}/${GITEA_ORG_NAME}/${repo}.git"
git_with_auth git clone -q "$REPO_URL" "$CLONE_DIR"
if [[ -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml" ]]; then
rm -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml"
(
cd "$CLONE_DIR"
git config user.name "Gitea Migration"
git config user.email "migration@gitea.local"
git add -A
git commit -q -m "Remove security scanning workflow (teardown)"
git_with_auth git push -q origin HEAD
)
log_success "Removed security-scan.yml from ${repo}"
fi
# Remove security status checks from branch protection
# Reset to empty status check contexts
PATCH_PAYLOAD=$(jq -n '{status_check_contexts: []}')
gitea_api PATCH "/repos/${GITEA_ORG_NAME}/${repo}/branch_protections/${PROTECTED_BRANCH}" "$PATCH_PAYLOAD" >/dev/null 2>&1 || true
log_info "Cleared security status checks from branch protection for ${repo}"
done
log_success "Phase 9 teardown complete"
Reference in New Issue View Git Blame Copy Permalink